Google’s Project Zero researchers have disclosed a Windows 0day vulnerability that allows attackers to escape Chrome sandboxes and run malware on Windows.
Google’s Project Zero researchers Mateusz Jurczyk and Sergei Glazunov have discovered a new zero-day security flaw in the cng!CfgAdtpFormatPropertyBlock function’s IOCTL 0x390400.
Reportedly, it is an integer overflow flaw originated from one of the IOCTLs that the Kernel Cryptography Driver (cng.sys) in Windows supports. The flaw can lead to privilege escalation and allow attackers to escape sandboxes.
“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation,” explained Jurczyk.
The vulnerability CVE-2020-17087 remained undisclosed so far, and now Google claims that this vulnerability is under active exploit from the hackers. Therefore, Google gave Microsoft one week to fix the flaw however the deadline has already passed, and now Google published its details.
The zero-day affects Windows 7 and Windows 10. According to the researchers, attackers are using this vulnerability in combination with another bug in Chrome, which was fixed by Google last week. The bug allows attackers to escape Chrome’s sandbox, which is isolated from other applications, and run malware on the OS.
The vulnerability’s details were submitted to the Project Zero discussion board on October 22, and seven days later, the information was disclosed to the public. The source code of a proof-of-concept exploit for this 0day is also published by the researchers. They tested the PoC on an “up-to-date build of Windows 10 1903 (64-bit),” but they noted that the issue was prevalent in Windows 7 as well.
This vulnerability is being exploited in targeted attacks; however, Google’s threat intelligence director Shane Huntley claims that the attacks aren’t related to the US elections.
Project Zero’sZero’s technical head Ben Hawked tweeted about the issue and confirmed that Microsoft would issue a patch on November 10. Microsoft also released an official statement that read:
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”
Currently, there’s no clarity on the attackers and their motives. Moreover, according to a Microsoft spokesperson, the attack is limited in nature, and there’s no evidence of its widespread usage.